AFP / Getty Images
The accusations that the Democratic People’s Republic of Korea actually hacked Sony are still without solid evidence. According to various security experts this is just not possible, especially considering their IT infrastructure.
Here are a couple of those experts:
A renowned hacker, DEFCON organizer, and CloudFlare researcher Marc Rogers, gives some proof:
“The broken English looks deliberately bad and doesn’t exhibit any of the classic comprehension mistakes you actually expect to see in “Konglish”. i.e it reads to me like an English speaker pretending to be bad at writing English.
It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.”
Kim Zetter of Wired wrote a great opinion article on ongoing North Korean skepticism:
“But in their initial public statement, whoever hacked Sony made no mention of North Korea or the film. And in an email sent to Sony by the hackers, found in documents they leaked, there is also no mention of North Korea or the film. The email was sent to Sony executives on Nov. 21, a few days before the hack went public. Addressed to Sony Pictures CEO Michael Lynton, Chairwoman Amy Pascal and other executives, it appears to be an attempt at extortion, not an expression of political outrage or a threat of war.
“[M]onetary compensation we want,” the email read. “Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You’d better behave wisely.””
ROBYN BECK/AFP / Getty Images
Author Peter W. Singer also thinks it’s not true:
“So far, the information that’s come out has pointed the finger at North Korean proxy groups, but it’s been context based. It wouldn’t meet the level needed in a court of law. The context combines the fact that they’re pissed about this movie, and certain techniques in it are similar to what has been used in other attacks linked not definitively to North Korea. It’s enough for most people to talk about [it being from North Korea], at least.”
Harvard Law professor and security expert Jack Goldsmith remains skeptical of the FBI’s case so far.
First, the “evidence” is of the most conclusory nature – it is really just unconfirmed statements by the USG. Second, on its face the evidence shows only that this attack has characteristics of prior attacks attributed to North Korea. We know nothing about the attribution veracity of those prior attacks. Much more importantly, it is at least possible that some other nation is spoofing a North Korean attack. For if the United States knows the characteristics or signatures of prior North Korean attacks, then so too might some third country that could use these characteristics or signatures – “specific lines of code, encryption algorithms, data deletion methods, and compromised networks,” and similarities in the “infrastructure” and “tools” of prior attacks – to spoof the North Koreans in the Sony hack.
Third, the most significant line in the FBI statement is this: “While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following.” Let us assume that the United States has a lot of other evidence, including human or electronic intelligence from inside Korea, that corroborates its attribution conclusion. This might give the USG confidence in the attribution and might support the legality of a proportionate response. But if protection of “sources and methods” prevents the United States from publicly revealing a lot more evidence, including intelligence beyond mere similar characteristics to past attacks, then there is no reason the rest of the world will or, frankly, should believe that a response on North Korea is justified. (Compare Adlai Stevenson and Colin Powell before the United Nations.)
And last but not least, here’s the suspicious statement published by the country’s official news agency, KCNA, on Sunday, December 21:
“Fighters for justice including ‘guardians of peace’ who turned out in the sacred drive for cooperation in the fight against the U.S. to defend human justice and conscience and to dismember the U.S. imperialists …. are sharpening bayonets not only in the U.S. mainland but in all other parts of the world. The just struggle to be waged by them across the world will bring achievements thousands of times greater than the hacking attack on the Sony Pictures Entertainment.”
“The U.S. should reflect on its evil doings that put itself in such a trouble, apologize to the Koreans and other people of the world and should not dare pull up others.”